Re: pf anchors attached to irrelevant states
On 5/19/24 13:37, Stuart Henderson wrote: I can confirm this is a problem, definitely seen in 7.4, I can't remember if 7.3 was affected. 7.2 from Dec 22 seems ok. Yes, 7.3 is affected. It is the same problem reported here: https://marc.info/?l=openbsd-misc=168754952806369
Re: lcamtuf on the recent xz debacle
On 4/4/24 23:17, Katherine Mcmillan wrote: an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems." There are a couple of problems with this statement, but I just want to focus in on the "almost all installations of Linux and other Unix-like operating systems" part. The statement reads "available on almost all ...", which is correct, as far as I can tell. But yes, the backdoor code in the version that was discovered seems to have targeted only Linux.
Re: Bridging firewall with online update/upgrade
On 4/3/24 18:19, Karel Lucas wrote: I want to use ETH1 for the input from my ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I would like to use ETH4 for the update/upgrade of the firewall. Remove the connection from ETH1, plug it into ETH4, and update/upgrade. Then the connection returns to ETH1. ETH4 therefore receives an IP address and ETH1,ETH2 and ETH3 not. But now the problem: as long as the network connection of the ADSL modem is in ETH4, my network, including the firewall, is no longer secured, and attackers can take advantage. I therefore wonder whether it is possible to let the data flow via ETH1 and ETH4 first pass through PF before an update/upgrade is done via ETH4. This means that the bridging firewall will have two entrances, one without and one with an IP address. I would like to know if that is possible, or if there is another option. I'm not entirely sure about how bridging works on OpenBSD and PF, but the answer, from a network point of view, would be "Don't make ETH4 part of the same bridge as ETH1-3, and apply a basic, restrictive ruleset to ETH4, allowing only for the update traffic to/from $self". (I hope I'm not missing something basic here)
Re: can't find PID
I have asked myself the same question. When runninng tcpdump -n -i pflog0 with the -e -v flags (and only in that combination), it outputs tuples that looks like they should be a uid and pid: 16:40:47.110033 rule 2/(match) [uid 0, pid 92257] block in on trunk0: ... (it's 92257 on the machine this example is from, but is different on other machines) The pid that "pid" references does not show up in any invocation of ps (-A, -a, -H, -k). It's also not mentioned in tcpdump[8]. pflog[4] does mention a uid_t uid and pid_t pid field in the pfloghdr struct, but does not say where the values come from. When I reload the pf ruleset with pfctl, the number in the pid field changes. So my assumption is that it is the pid of the pfctl process that inserted the rule. Is that correct? thx /m On 3/5/24 15:45, Theo de Raadt wrote: What are you expecting here?? ofthecentury wrote: Yes, I'm tcdupming pflog and ALL my dropped packets reference some PID 6504 that is not found among the processes that are running.
Re: Open-source security processor
On 9/8/23 00:24, Richard Thornton wrote: Say you had the guts of an x86_64 desktop running Windows on the bench and another computer running OpenBSD right next to it, is there some mechanism available that could allow you to integrity scan the NVMe drive (and also the firmware but that's probably an easier problem solved with something like SPI) of the powered-off x86_64 with the OpenBSD box, like a hardware device that allows both OpenBSD and the laptop physical hardware level access to the same NVMe, or would you have the NVMe in OpenBSD, scan it and then somehow "hand over" the NVMe to Windows? The NVMe drive can't be physically touched, not just swapped from board to board, I'm thinking of this from a more "embedded" viewpoint. If you think about a forensic analysis and/or integrity check of the *contents* of the NVMe, you should draw a binary image of the disk and analyze that. If you cannot remove the disk, but boot the system from an external device (into whatever OS you prefer), you could create such a copy from there (dd is your friend). You could also analyze the disk directly from there, but there's a high probability that you will modify it by doing so (in case you have to mount the filesystems). If you cannot boot the system from an external device (because it is eg. in a hibernated state that you need to preserve), I don't think there is much you can do without removing the disk from the computer. /m
Re: volatility or something like that in the future ?
Hey, Am 19.08.2023 um 12:05 schrieb whistlez: I honestly don't understand this hatred. I call it that because I refuse to accept that you didn't understand the question. Volatility has no plugin to interpret a ram dump on openbsd and so having only the dump is totally useless. If you really don't understand I'll paste the volatility help to show you that there are no plugins for openbsd but only for linux, windows and mac. just a simply suggestion here, as far as i can see this Tool/Application is written in python so as mention before make your own plugin then? Python should be available on openBSD, you can use the tools to dump information, you can start asking people who got a clue to interpret the dump to give you hints and pointers and then simply display it in your plugin as you please. That said you need of course to put in the effort to write the plugin and if you cant do it you might wanna as on github if people who can are willing to do the work mentioned above. At that point you might get your plugin done. And as clarification, I dont write that without any hatred just as a observer of the past few mails. Cheers -- Before you write me an email ... have you tried switching it off and on again ? Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227
Re: Allwinner D1 riscv64 mango pi SBC
Hi Peter, I got a VisionFive2 SBC laying arround, so if this is of interest for the devs too I can ship it somewhere. cheers Markus Am 20.07.2023 um 10:32 schrieb Peter J. Philipp: Hi all, Just so we don't lose the warm fuzzy feelings around this. Diana do you want to give me your paypal address so I can transfer the 30 EUR to you? I'm very excited about this, particularily because the mango pi comes out of china. Here is some interesting read I googled the other day: https://www.hpcwire.com/2023/07/19/how-china-is-building-an-open-national-chip-plan-around-risc-v/ Risc-v is really taking off! I do hope that sifive can give us something of value, because I heard about this Milk-V computer giving Intel/Sifive a run for their products. https://liliputing.com/milk-v-computers-feature-up-to-64-risc-v-cpu-cores/ That said I'm hoping on invest in another risc-v computer by next year. Support for it will probably lack and I'll run linux on it for a while perhaps. Best Regards, -peter On 7/19/23 03:40, deich...@placebonol.com wrote: I'm going to reach out to a few folks who I see are doing riscv64 specific development. I realize they might not want to take on yet another h/w design. g.day On July 18, 2023 3:14:18 PM MDT, Mike Larkin wrote: On Tue, Jul 18, 2023 at 02:02:45PM -0600, deich...@placebonol.com wrote: Hi Mike I've volunteered to coordinate a purchase of Mango Pi to get them into OpenBSD developers working on riscv64 platform. It has been awhile but I used to facilitate getting h/w into OpenBSD developers hands on a semi-regular basis. diana Great. I don't know who would be interested, so I'd wait to let them speak up before ordering anything. -ml On July 16, 2023 1:13:02 PM MDT, "Peter J. Philipp" wrote: On Sun, Jul 16, 2023 at 06:25:50PM +, Mike Larkin wrote: On Sun, Jul 16, 2023 at 11:56:51AM +0200, Peter J. Philipp wrote: Hi *, I'm back for the moment. I was wondering who has a Allwinner D1 riscv64 SBC? This is the Mango Pi SBC. I have one which has linux on it currently but I'm trying to boot OpenBSD on it. But I'm fairly lazy and haven't done much with this lately. I can get to the riscv64 loader but when it loads the kernel, it goes blind. So there is more than just getting the GPIO pins configured which I think I have been able to adjust. I use a QEMU-based riscv64 emulation to compile kernels which is slow but this SBC isn't much faster either (1000 Mhz it claims). I use this u-boot directive to get into the boot loader: setenv bootobsd 'load mmc 0:1 0x4FA0 /boot/dtbs/5.19.0-1009-allwinner/allwinner/sun20i-d1-nezha-memory.dtb ; load mmc 0:f 0x4008 /EFI/OpenBSD/BOOTRISCV64.EFI ; bootefi 0x4008 0x4FA0' followed by a: run bootobsd I am unsure how to save this though in the u-boot itself. Any hints would be appreciated. I think we need a specific riscv mailing list for this sort of stuff perhaps it's too technical for misc. Regarding to the nostradamus stuff of someone from chicago (Re: A couple of Questions) , check out "1st wave" and "cade foster" on youtube (reruns), this will feed you more ideas. my personal opinion is that time travel of information is possible, contributing to major headaches when events get changed (for the prometheus seers). Back to "reality" I'm looking for a group of people to help getting the mango pi working. I'm hampered by pride to ask knowledged people and these people have their own directions and I don't want to bother their efforts. The more we are the more we could possibly get something done. The best way to get that done is to get hardware in the hands of developer(s). Wishing on misc@ is likely not going to get anyone interested. Check the commit logs for people working in this area, reach out to them, and see if they are interested in helping. -ml Hi Mike, Thanks. This will take a bit, I'm in talks to get a new job soon, which will put extra money in my pocket. Then I may be able to get a handful of these perhaps. Do you still keep
Re: IP6 redirects through relayd no longer working reliably
Just for the record: The problem was caused by a malfunctioning upstream gateway, which did no longer respond properly to neighbor solicitation requests. The SYN ACK from the server was dropped because the firewall had already removed the state created by the SYN. On 6/23/23 22:51, Markus Wernig wrote: pflog shows that the IPv6 SYN-ACK replies from the backend servers are being dropped by pf. But weirdly the blocks are logged over 30 seconds after the SYN is allowed through:
IP6 redirects through relayd no longer working reliably
Hi all
(Sorry for flooding, this seems related to the question I asked earlier.
Please bear with me.)
I am using relayd on 7.3-release as an IP loadbalancer in front of some
dualstack backend hosts. This setup has worked for some years now.
After upgrading to 7.3 about 4 weeks ago I noticed a steady decline of
IPv6 sessions coming into the backend servers, up to the point where
none arrive at all (for 2 days now).
Now users start complaining that their connections to the servers
(public IP) are either timing out or are established only after a very
long time (usually the tcp start timeout when the client switches from
IPv6 to trying IPv4). The IPv4 connections succeed immediately.
pflog shows that the IPv6 SYN-ACK replies from the backend servers are
being dropped by pf. But weirdly the blocks are logged over 30 seconds
after the SYN is allowed through:
Jun 20 14:12:49.489707 rule 2/(match) [uid 0, pid 85766] pass out on
vlanX: [Client.IP6].50210 > [Server.IP6].443:
S 2508622700:2508622700(0) win 64800 <[|tcp]> [flowlabel 0xd4400] (len
32, hlim 52)
Jun 20 14:12:49.493267 rule 2/(match) [uid 0, pid 85766] pass out on
vlanX: [Client.IP6].50211 > [Server.IP6].443:
S 806421981:806421981(0) win 64800 <[|tcp]> [flowlabel 0x162e5] (len 32,
hlim 52)
Jun 20 14:12:49.507508 rule 2/(match) [uid 0, pid 85766] pass out on
vlanX: [Client.IP6].50212 > [Server.IP6].443:
S 3945655871:3945655871(0) win 64800 <[|tcp]> [flowlabel 0x8abc6] (len
32, hlim 52)
Jun 20 14:12:49.517783 rule 2/(match) [uid 0, pid 85766] pass out on
vlanX: [Client.IP6].50213 > [Server.IP6].443: S 1191028748:1191028748(0)
win 64800 <[|tcp]> [flowlabel 0xa7d6] (len 32, hlim 52)
Jun 20 14:13:20.943370 rule 2/(match) [uid 0, pid 85766] block in on
vlanX: [Server.IP6].443 > [Client.IP6].50213: S 3650589557:3650589557(0)
ack 209077342 win 64800 <[|tcp]> [flowlabel 0xd922c] (len 32, hlim 64)
Jun 20 14:13:20.943433 rule 2/(match) [uid 0, pid 85766] block in on
vlanX: [Server.IP6].443 > [Client.IP6].50212: S 2068945110:2068945110(0)
ack 2313561433 win 64800 <[|tcp]> [flowlabel 0xf8c9c] (len 32, hlim 64)
Jun 20 14:13:20.943476 rule 2/(match) [uid 0, pid 85766] block in on
vlanX: [Server.IP6].443 > [Client.IP6].50211: S 3395939328:3395939328(0)
ack 1849611325 win 64800 <[|tcp]> [flowlabel 0xb519e] (len 32, hlim 64)
Jun 20 14:13:20.943518 rule 2/(match) [uid 0, pid 85766] block in on
vlanX: [Server.IP6].443 > [Client.IP6].50210: S 106368970:106368970(0)
ack 1534267447 win 64800 <[|tcp]> [flowlabel 0xca19a] (len 32, hlim 64)
(The rule 2 that is logged is the rule number of the relayd/* anchor.)
tcpdump on vlanX shows the backend server sends the SYN-ACK immediately.
The IPv4 addresses are natted from public to rfc-1918 space and work.
For IPv6, the address of backend server.A is used as the public IP
(service.pub). Only if server.A becomes unavailable, are packets
redirected to server.B.
relayd.conf:
...
table {
Server.A.IP6 retry 2
}
table {
Server.B.IP6 retry 2
}
redirect "service.pub.80.v6" {
listen on Server.A.IP6 tcp port 80 interface trunk0
forward to port 80 \
check http "/" host "server.A" code 200
forward to port 80 \
check http "/" host "server.B" code 200
}
redirect "service.pub.443.v6" {
listen on Server.A.IP6 tcp port 443 interface trunk0
forward to port 443 \
check https "/" host "server.A" code 200
forward to port 443 \
check https "/" host "server.B" code 200
}
I am not 100% sure that the IPv6 failover actually worked before, but
the connections to Server.A.IP6 were definitely working.
I do see the http and https checks succeed on both backend servers.
I've tried flushing the states and rebooting the firewall, to no avail.
relayctl shows all redirects/tables as active and all hosts as up:
2 redirectservice.pub.80.v6 active
3 table server.A:80active (1 hosts)
3 hostServer.A.IP6 100.00% up
4 table server.B:80active (1 hosts)
4 hostServer.B.IP6 100.00% up
3 redirectservice.pub.443.v6 active
5 table server.A:443 active (1 hosts)
5 hostServer.A.IP6 100.00% up
6 table server.B:443 active (1 hosts)
6 hostServer.B.IP6 100.00% up
Now I'm out of ideas on how to debug this further.
Has anyone been experiencing something similar?
Has something fundamental changed in relayd or pf that could cause this?
Does anybody spot an error in my configuration?
Thanks for any pointer!
Best regards
Markus
All packets logged with relayd/* anchor rule number
Hi all I am using relayd on 7.3-release as an incoming IP loadbalancer and therefore have this line near the beginning of the filter section of pf.conf: anchor "relayd/*" It shows up as rule number 2 in pfctl -vv -s rules: @0 match all scrub (no-df reassemble tcp) [ Evaluations: 89452 Packets: 545363Bytes: 161423157 States: 1772 ] [ Inserted: uid 0 pid 59061 State Creations: 0 ] @1 match out all scrub (random-id) [ Evaluations: 89452 Packets: 295160Bytes: 98671558 States: 921 ] [ Inserted: uid 0 pid 59061 State Creations: 0 ] @2 anchor "relayd/*" all [ Evaluations: 89452 Packets: 576068Bytes: 163171696 States: 1772 ] [ Inserted: uid 0 pid 59061 State Creations: 58739 ] But now all packets get logged with rule no. 2 in pflog, regardless of whether or not they match any relayd redirect. Here's an example of an outgoing natted NTP query, which has nothing whatsoever to do with the relayd rules/redirects: # tcpdump -e -vvv -ttt -n -i pflog0 port ntp Jun 23 20:07:56.377848 rule 2/(match) [uid 0, pid 59061] pass in on vlanX: 192.168.x.y.123 > a.b.c.d.123: v4 client strat 2 poll 10 prec -24 dist 0.006881 disp 0.034591 ref a.b.c.d@3896531217.384170621 orig 3896531389.381188988 [|ntp] (DF) [tos 0xb8] (ttl 64, id 1236, len 76) Jun 23 20:07:56.377928 rule 2/(match) [uid 0, pid 59061] pass out on trunk0: [rewritten: src n.m.p.o:55798, dst a.b.c.d:123] 192.168.x.y.123 > a.b.c.d.123: v4 client strat 2 poll 10 prec -24 dist 0.006881 disp 0.034591 ref a.b.c.d@3896531217.384170621 orig 3896531389.381188988 [|ntp] [tos 0xb8] (ttl 63, id 1236, len 76, bad ip cksum dd99! -> de99) Is this the expected behaviour? Is there any way to get the actual rule numbers back? I am quite sure this was different in earlier releases. Thank you in advance Markus
Re: carp status master on both firewalls
for my external carp interface both firewalls show master as status
The config is below for reference:
/etc/hostname.carp0 on fw1
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0
/etc/hostname.carp0 on fw2
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em0 pass password advskew 128
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0
On both firewalls I have added the following in /etc/pf.conf:
pass on { $ext_if $int_if } proto carp keep state (no-sync)
Did anyone already encounter this issue or has any idea what might be wrong?
Hard to tell without logs. Some things that come to mind:
- Do the two fw actually have a link on their carp0 carpdev interfaces?
If both are master, both should be sending out CARP advertisements, so
I'd try to run tcpdump on both external interfaces and look for those:
tcpdump -n -e -i carp0 proto carp
- Did you enable CARP preemption? Try setting these via sysctl:
net.inet.carp.preempt=1
net.inet.carp.log=3
- In your config one fw has carpdev em2, the other carpdev em0. Could be
OK, or could be an error.
Re: Compatible
Hi, Am 22.02.2023 um 23:35 schrieb Iwil C: Is OpenSSH compatible with an Azure VM, Windows Server OS 2016 ? regarding to microsoft its offically supported for Windows Server 2019/2022 https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: redirection puzzle
On 12/2/22 16:17, rsyk...@disroot.org wrote: echo 1 | tee $(tty) | sed 's/1/2/' Not 100% sure, but probably some timing/subshell issue. This works: tty=$(tty) && echo 1 | tee $tty | sed 's/1/2/' best /m
Re: Ipsec + bridge + egre issue with multiple bridges an non-static ip
Hi all, Sorry for the noise. I found out that it was pf. When I tested with pf disabled I always only did this with pf disabled on one side. Once I disabled on both sides it worked. So I need to figure out now, what exactly is the issue. Thanks Markus > On 26. Nov 2022, at 11:19, Markus Wipp wrote: > > Hi all, > > I hope that someone here on the list could give me some hints on how I can > make my setup working. > > I have the following setup: > > "Virtual server 1" is connected to "Virtual server 2" via egre over ipsec on > both sides I’m using a bridge and a vether interface. > Both virtual servers are located at different hosters and have public ip > addresses. > Between them the mentioned private connection is always coming up and working > (I can ping 192.168.79.1 / 192.168.79.2 from each other) > > In addition I have my router at home which connects via separate egre over > ipsec with a bridge and a vether interface connections > to each of the virtual servers. This router unfortunately has only a dynamic > ipv4 address. > The connection between the router and the virtual servers is for some reason > not coming up completely. > To my analysis so far it seems that the router bridge learns the Mac > addresses of the remote virtual servers vether interfaces, but for > some reason the bridges on the virtual servers do not learn the address of > the routers vether interface. > tcpdump does show traffic coming into enc0, but it never reaches the bridge, > even with pf disabled. > > > As I can ping the interface with ip 192.168.66.1 from each of the virtual > servers on the router, I’m leaving out the iced configuration. > If this is needed I could also provide it. > > Find here the corresponding configurations of each of the machines: > > Virtual server 1: > (Working between virtual server 1 and 2) > /etc/hostname.bridge0 > add vether0 > add egre0 > up > > /etc/hostname.vether0 > mtu 1500 > inet 192.168.79.1/24 > up > > /etc/hostname.egre0 > mtu 1500 -tunneldf > tunnel a.b.c.d w.x.y.z > vnetid 12 > up > > (Not working between virtual server 1 and router) > /etc/hostname.bridge2 > add vether1 > add egre1 > up > > /etc/hostname.vether1 > mtu 1500 > inet 192.168.80.1/24 > up > > /etc/hostname.egre1 > mtu 1500 -tunneldf > tunnel a.b.c.d 192.168.66.1 > vnetid 31 > up > > Virtual server 2: > (Working between virtual server 1 and 2) > /etc/hostname.bridge0 > add vether0 > add egre0 > up > > /etc/hostname.vether0 > mtu 1500 > inet 192.168.79.2/24 > up > > /etc/hostname.egre0 > mtu 1500 -tunneldf > tunnel w.x.y.z a.b.c.d > vnetid 12 > up > > (Not working between virtual server 1 and router) > /etc/hostname.bridge2 > add vether2 > add egre2 > up > > /etc/hostname.vether2 > mtu 1500 > inet 192.168.81.1/24 > up > > /etc/hostname.egre2 > mtu 1500 -tunneldf > tunnel w.x.y.z 192.168.66.1 > vnetid 32 > up > > > Router: > /etc/hostname.bridge0 > add vether1 > add egre1 > up > > /etc/hostname.vether1 > mtu 1500 > inet 192.168.80.2/24 > up > > /etc/hostname.egre1 > mtu 1500 -tunneldf > tunnel 192.168.66.1 a.b.c.d > vnetid 31 > up > > /etc/hostname.bridge2 > add vether2 > add egre2 > up > > /etc/hostname.vether2 > mtu 1500 > inet 192.168.81.2/24 > up > > /etc/hostname.egre2 > mtu 1500 -tunneldf > tunnel 192.168.66.1 w.x.y.z > vnetid 32 > up > > As an example I provide here the output of ifconfig for the relevant > interfaces on virtual server 1 (ipv6 stuff removed): > > > vio0: > flags=e08843 > mtu 1500 > lladdr 56:00:03:8c:96:8c > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect > status: active > inet a.b.c.d netmask 0xfe00 broadcast 199.247.3.255 > > enc0: flags=41 > index 2 priority 0 llprio 3 > groups: enc > status: active > > bridge0: flags=41 mtu 1500 > index 4 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > egre0 flags=3 > port 6 ifpriority 0 ifcost 0 > vether0 flags=3 > port 8 ifpriority 0 ifcost 0 > > bridge2: flags=41 mtu 1500 > index 5 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > egre1 flags=3 > port 12 ifpriority 0 ifcost 0 > vether1 flags=3 > port 9 ifpriority 0 ifcost 0 > > egre0: flags=8943 mtu 1500 > lladdr fe:e1:ba:d0:b9:3c > index 6 priority 0 llprio 3 > encap: vnetid 12 txprio 0 rxprio packet > groups: egre > tunnel: inet a.b.c.d --> w.x.y.z ttl 64 nodf >
Ipsec + bridge + egre issue with multiple bridges an non-static ip
rnet autoselect (1000baseT full-duplex) status: active inet e.f.g.h netmask 0xff00 broadcast 95.89.130.255 enc0: flags=41 index 4 priority 0 llprio 3 groups: enc status: active bridge0: flags=41 mtu 1500 index 6 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp designated: id 00:00:00:00:00:00 priority 0 egre1 flags=3 port 8 ifpriority 0 ifcost 0 vether1 flags=3 port 14 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): fe:e1:ba:d3:94:e9 egre1 1 flags=0<> bridge2: flags=41 mtu 1500 index 36 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp designated: id 00:00:00:00:00:00 priority 0 egre2 flags=3 port 9 ifpriority 0 ifcost 0 vether2 flags=3 port 15 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): fe:e1:ba:d3:42:9c egre2 1 flags=0<> egre1: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:dc:c9 index 8 priority 0 llprio 3 encap: vnetid 31 txprio 0 rxprio packet groups: egre tunnel: inet 192.168.66.1 --> a.b.c.d ttl 64 nodf egre2: flags=8943 mtu 1500 lladdr fe:e1:ba:d1:4f:4c index 9 priority 0 llprio 3 encap: vnetid 32 txprio 0 rxprio packet groups: egre tunnel: inet 192.168.66.1 --> w.x.y.z ttl 64 nodf vether1: flags=8943 mtu 1500 lladdr fe:e1:ba:d2:ac:6b index 14 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 192.168.80.2 netmask 0xff00 broadcast 192.168.80.255 vether2: flags=8943 mtu 1500 lladdr fe:e1:ba:d3:80:aa index 15 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 192.168.81.2 netmask 0xff00 broadcast 192.168.81.255 Doing a tcpdump, when pinging from router to virtual server I see arp requests on enc0, but no responses, the traffic never shows up on bridge2 (even with pf disabled) tcpdump -nvveei enc0 host e.f.g.h tcpdump: listening on enc0, link-type ENC 11:11:46.538947 (authentic,confidential): SPI 0xb20636b0: e.f.g.h > a.b.c.d: e.f.g.h > a.b.c.d: gre [K] 6558 key=31|0+1f fe:e1:ba:d2:ac:6b ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.80.1 tell 192.168.80.2 (ttl 64, id 46024, len 70) (ttl 54, id 49233, len 90) Many thanks for any hints that could help me make this work! Bedst rewards Markus signature.asc Description: Message signed with OpenPGP
Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks
Hi Tom On 5/11/22 21:32, Tom Smyth wrote: We are updating some course material for an upcoming PF firewall course, and I would like to put a call out to those who use PFsync in a redundant firewall cluster The one thing that immediately comes to mind is to NOT use a crossover cable for the pfsync connection (even though that seems to be kind of recommended in the pfsync(4) man page). Doing so will lead to a change of the other firewall's carp demotion counter on its pfsync interface if one peer is rebooted or shut down (and thus causing a link down event on the cabled interface on the other side). It also gives you three chained single points of failure at the same time (nic1, cable, nic2), which I would rather avoid (do the math). I do of course agree with the intention of the suggestion (only run pfsync over a secure link). Since I am in the position where I only run my PF firewalls in a trusted environment, where I also control the switches (no shared cloud etc. infrastructure), I have found that running pfsync over a dedicated VLAN interface on a pair of trunk(4)ed NICs on 2 trusted switches sufficiently satisfies that requirement. Best, Markus
Re: OpenBSD on WatchGuard devices
Hi all, Just wanted to thank all you guys who posted suggestions, i got an openBSD now running on my XTM5. I will try the Graeme solution for flashing the the rom to unlock the BIOS and I will post my progress too. What worked for me was: - Installing miniroot70.img on a USB drive - Installing openBSD on a notebook with a SSD HDD - setting tty to com0 in /etc/boot.conf After pluging in the HDD in the XTM5 it booted like a charm. Thanks again you wonderful helpful people :) Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
Hi Lukas, Am 10.03.2022 um 10:23 schrieb Łukasz Moskała: Hi, From what I read, you can use SSD/HDD in these things. So basically, you have two ways which I think should work: - DD miniroot70.img to hdd, plug hdd in, boot from it, install to same hdd you booted from. You may need to create boot.conf in miniroot70.img to use serial instead of non-existent vga if "boot>" prompt does not show up to do that at boot time. - plug hdd to another computer, install openbsd to it, move hdd to watchguard. I will give it a shot , device is a XTM 5 . The second way I found here: https://www.reddit.com/r/PFSENSE/comments/rce3i6/howto_pfsense_252_on_watchguard_xtm_5/ I saw that already but the steps he took doesnt seem to work for me so far. Let us know how it goes. -- Łukasz Moskała Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
I already tried that on my XTM5 here but it isnt working so far , the problem seems to be a locked down bios and I fround some post that mentioned booting from the USB ports wasnt enabled. What i tried so far is: - booting from USB -> not working - booting from a CF Card -> not working the BISO Version of the WatchGuard is 1.3 Am 09.03.2022 um 17:21 schrieb Graeme Neilson: On the Watxhguard XTM5 you remove the compact flash, add a hard drive to the internal SATA port and boot from USB using the RJ45 serial console. I have a patched lcdproc for the small screen. Arch is amd64 and you can very cheaply upgrade the CPU and add up to 8Gb RAM. On 10/03/2022, at 00:01, Markus Rosjat wrote: Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD on WatchGuard devices
Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: GRE IP6/IP6 not working as soon as pf is enabled
yes, thats correct and just to make sure you got my last email. I was able to fix my issue inthe meantime by adding allow-opts > On 16. Jan 2022, at 12:40, David Gwynne wrote: > > you've set the net.inet.gre.allow sysctl to 1, right? > >> On 16 Jan 2022, at 17:05, Markus Wipp wrote: >> >> Hi David, >> >> First of all thank you so much taking the time for my question! >> >>> My first impression is that you're confusing where to apply policy to >>> the encapsulated traffic. "pass on gre proto gre" implies you're >>> trying to pass GRE packets as they go over gre(4) interfaces, but >>> it's the unencapsulated packets that go over gre(4), and the GRE >>> encapsulated packets will go over your "underlay" or physical >>> interfaces, which looks like em0 according to tcpdump. >> >> Yes, it might be that I’m a little bit confused right now, after all the >> “Experiments” I already did to make this work. >> >>> Your pass rule should let everything work though. Those two rules are >>> your entire ruleset? >> >> Yes, those two rules are all I have (I reduced my whole rule set to this to >> sort out things) >> In the meantime I changed it to the following as per your and Georgs >> suggestion. >> >> In file: >> pass log (all, to pflog0) >> # pass the GRE encapsulated traffic >> pass inet6 proto gre >> # let ping6 over gre(4) work >> pass on gre inet6 proto icmp6 >> #pass on gre proto gre no state >> >> >> doas pfctl -s rules >> pass log (all) all flags S/SA >> pass inet6 proto gre all >> pass on gre inet6 proto ipv6-icmp all >> >> With these rules I get, so at least I can see the reply on em0: >> >> doas tcpdump -nvei em0 ip6 or icmp6 or proto gre >> tcpdump: listening on em0, link-type EN10MB >> 07:54:28.107820 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c >> seq:0) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) >> 07:54:28.156366 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply >> (id:597c seq:0) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] >> (len 116, hlim 243) >> 07:54:29.109744 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c >> seq:1) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) >> 07:54:29.166480 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply >> (id:597c seq:1) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] >> (len 116, hlim 243) >> 07:54:30.110067 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c >> seq:2) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) >> 07:54:30.156013 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply >> (id:597c seq:2) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] >> (len 116, hlim 243) >> >> Unfortunately it never reaches gre0: >> >> doas tcpdump -nvei gre1051 ip6 or icmp6 or proto gre >> tcpdump: listening on gre1051, link-type LOOP >> 07:54:28.107741 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:597c seq:0) [icmp6 cksum ok] (len 64, hlim 64) >> 07:54:29.109675 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:597c seq:1) [icmp6 cksum ok] (len 64, hlim 64) >> 07:54:30.110004 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:597c seq:2) [icmp6 cksum ok] (len 64, hlim 64) >> >> >>> The bare "pass" rule not letting this work makes me feel like there's >>> more to this though. >> >> Yes, I also think that there must be more to it, but I just don’t see the >> trees for the forrest here. >> >> Thanks >> Markus >> >
Fwd: GRE IP6/IP6 not working as soon as pf is enabled
Hi all, I got this information from Peter, which did the trick! I now have my complete rule-set with a block default policy working! Thanks to David and Georg as well for their help! Best regards Markus > Begin forwarded message: > > From: "Peter J. Philipp" > Subject: Re: GRE IP6/IP6 not working as soon as pf is enabled > Date: 16. January 2022 at 08:03:39 CET > To: Markus Wipp > > Hi, > > You look like you might understand german so I have a german link for you: > > https://wiki.freifunk-franken.de/w/Benutzer:PeterPhilipp#GRE_konfigurieren_mit_pf_trick > > It seems that when the remote end is Linux that they put in an intermediate > header with an empty option into the GRE packet. The "allow-opts" option > should pass this in pf. > > Wish you best of luck! > > -peter > > On Sat, Jan 15, 2022 at 08:10:44PM +0100, Markus Wipp wrote: >> Hi all, >> >> This is my first mail to an OpenBSD list, so I hope I chose the correct one. >> >> I???m trying to get a GRE tunnel in combination with pf working a few days >> now >> on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021) >> >> If I disable pf with pfctl -d the connection is working and I can ping. >> However as soon as I enable pf with pfctl -e the ping stops working (even >> with a configuration that >> should allow all traffic according my understanding) >> >> The GRE interface looks like: >> >> gre0: flags=8051 mtu 1476 >> index 44 priority 0 llprio 6 >> encap: vnetid none txprio payload rxprio packet >> groups: gre >> tunnel: inet6 2a02::yyy:zzz::1 --> 2a00:::::10 ttl 64 >> nodf ecn >> inet6 fe80::20d:b9ff:fe44:ecdc%gre1051 --> prefixlen 64 scopeid 0x2c >> inet6 2a01:qqq::ss::2 --> prefixlen 128 >> >> The simplified pf-Rule looks like: >> >> pass >> pass on gre proto gre no state >> >> tcpdump shows the following: >> >> doas tcpdump -nvei gre0 ip6 and icmp6 or proto gre >> tcpdump: listening on gre0, link-type LOOP >> 19:29:15.124113 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:9e45 seq:18) [icmp6 cksum ok] (len 64, hlim 64) >> 19:29:16.124438 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:9e45 seq:19) [icmp6 cksum ok] (len 64, hlim 64) >> 19:29:17.1248112a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo >> request (id:9e45 seq:20) [icmp6 cksum ok] (len 64, hlim 64) >> >> and >> >> doas tcpdump -nvei em0 ip6 and icmp6 or proto gre >> tcpdump: listening on em0, link-type EN10MB >> 19:51:06.126497 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 >> seq:1329) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> 19:51:07.126815 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::11 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 >> seq:1330) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> 19:51:08.127252 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd >> 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 >> seq:1331) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> >> >> And >> >> doas tcpdump -nvei pflog0 >> tcpdump: WARNING: snaplen raised from 116 to 160 >> tcpdump: listening on pflog0, link-type PFLOG >> 19:55:03.962579 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> 19:55:04.964864 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> 19:55:05.963947 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> >> >> Thanks in advance for any hints on how to solve this issue >> >> Best regards >> Markus >> signature.asc Description: Message signed with OpenPGP
Re: GRE IP6/IP6 not working as soon as pf is enabled
Hi David, First of all thank you so much taking the time for my question! > My first impression is that you're confusing where to apply policy to > the encapsulated traffic. "pass on gre proto gre" implies you're > trying to pass GRE packets as they go over gre(4) interfaces, but > it's the unencapsulated packets that go over gre(4), and the GRE > encapsulated packets will go over your "underlay" or physical > interfaces, which looks like em0 according to tcpdump. Yes, it might be that I’m a little bit confused right now, after all the “Experiments” I already did to make this work. > Your pass rule should let everything work though. Those two rules are > your entire ruleset? Yes, those two rules are all I have (I reduced my whole rule set to this to sort out things) In the meantime I changed it to the following as per your and Georgs suggestion. In file: pass log (all, to pflog0) # pass the GRE encapsulated traffic pass inet6 proto gre # let ping6 over gre(4) work pass on gre inet6 proto icmp6 #pass on gre proto gre no state doas pfctl -s rules pass log (all) all flags S/SA pass inet6 proto gre all pass on gre inet6 proto ipv6-icmp all With these rules I get, so at least I can see the reply on em0: doas tcpdump -nvei em0 ip6 or icmp6 or proto gre tcpdump: listening on em0, link-type EN10MB 07:54:28.107820 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:0) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:28.156366 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply (id:597c seq:0) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) 07:54:29.109744 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:1) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:29.166480 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply (id:597c seq:1) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) 07:54:30.110067 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:2) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:30.156013 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq::ss::1 > 2a01:qqq::ss::2: icmp6: echo reply (id:597c seq:2) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) Unfortunately it never reaches gre0: doas tcpdump -nvei gre1051 ip6 or icmp6 or proto gre tcpdump: listening on gre1051, link-type LOOP 07:54:28.107741 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:0) [icmp6 cksum ok] (len 64, hlim 64) 07:54:29.109675 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:1) [icmp6 cksum ok] (len 64, hlim 64) 07:54:30.110004 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:597c seq:2) [icmp6 cksum ok] (len 64, hlim 64) > The bare "pass" rule not letting this work makes me feel like there's > more to this though. Yes, I also think that there must be more to it, but I just don’t see the trees for the forrest here. Thanks Markus signature.asc Description: Message signed with OpenPGP
GRE IP6/IP6 not working as soon as pf is enabled
Hi all, This is my first mail to an OpenBSD list, so I hope I chose the correct one. I’m trying to get a GRE tunnel in combination with pf working a few days now on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021) If I disable pf with pfctl -d the connection is working and I can ping. However as soon as I enable pf with pfctl -e the ping stops working (even with a configuration that should allow all traffic according my understanding) The GRE interface looks like: gre0: flags=8051 mtu 1476 index 44 priority 0 llprio 6 encap: vnetid none txprio payload rxprio packet groups: gre tunnel: inet6 2a02::yyy:zzz::1 --> 2a00:::::10 ttl 64 nodf ecn inet6 fe80::20d:b9ff:fe44:ecdc%gre1051 --> prefixlen 64 scopeid 0x2c inet6 2a01:qqq::ss::2 --> prefixlen 128 The simplified pf-Rule looks like: pass pass on gre proto gre no state tcpdump shows the following: doas tcpdump -nvei gre0 ip6 and icmp6 or proto gre tcpdump: listening on gre0, link-type LOOP 19:29:15.124113 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:18) [icmp6 cksum ok] (len 64, hlim 64) 19:29:16.124438 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:19) [icmp6 cksum ok] (len 64, hlim 64) 19:29:17.1248112a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:20) [icmp6 cksum ok] (len 64, hlim 64) and doas tcpdump -nvei em0 ip6 and icmp6 or proto gre tcpdump: listening on em0, link-type EN10MB 19:51:06.126497 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:1329) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) 19:51:07.126815 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::11 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:1330) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) 19:51:08.127252 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02::yyy:zzz::1 > 2a00:::::10: gre [] 86dd 2a01:qqq::ss::2 > 2a01:qqq::ss::1: icmp6: echo request (id:9e45 seq:1331) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) And doas tcpdump -nvei pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 19:55:03.962579 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) 19:55:04.964864 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) 19:55:05.963947 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: 2a00:::::10 > 2a02::yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) Thanks in advance for any hints on how to solve this issue Best regards Markus
Re: (bug?) relayd forward to directives interfering
On 11.08.21 08:40, Vladimir Nikishkin wrote:
> table { 127.0.0.1 }
> table { 127.0.0.1 }
Have you tried having the two backend listeners on different IP
addresses rather than on different ports? Eg. 127.0.0.1 and 127.0.0.2?
best /m
Re: Why demotion counter for group carp is set to 33 on boot?
On 7/13/21 9:32 AM, Tom K wrote: > why demotion counter for group carp is set to 33 on boot? This is the > primary firewall and there are no adskew settings in all hostname.carpX > files or anywhere else. > Because of this the other firewall which should be normaly the standby > (adskew 100), is always MASTER (comes up with carp demote count 0). I remember similar symptoms when some of my vlan interfaces were blocking carp traffic. I think I had to add an according rule for every interface like this: pass quick on vlan230 inet proto carp from any to any keep state (no-sync) In another case one of the interfaces on the master was misconfigured (some typo in hostname.if). Maybe setting net.inet.carp.log=3 also shows more info. best /m
Re: rad daemon strange error message
On 6/30/21 1:32 PM, Pierre Dupond wrote: > veteher30 has no IPv6 link-local address, ignoring ^ I don't know rad, but from the output above there seems to be a typo in some config.
Re: IPv6 NDP Confusion with PF enabled
On 3/8/21 11:05 PM, Antonino Sidoti wrote: > There is no blocking showing up when I examine the pflog0, I would run tcpdump -n -i em0 icmp6 during /etc/netstart with and without pf enabled. If you see a difference, that should help you find out what to allow in your ruleset. /m
Re: seeing carp interface state change for unknown reason ; cluestick hunting
On 2/7/21 1:38 AM, Bryan Stenson wrote: 31 RTM_IFINFO: iface status change: len 168, if# 3, name cnmac2, link: no carrier, mtu: 1500, Just grasping for something here...my next steps are to swap this unit out with the other one (to try and eliminate hardware failure of THIS unit). Any other suggestions? Check the switch interface for any errors and messages.
Re: OpenBSD VM creation problem
On 1/23/21 3:25 AM, Hakan E. Duran wrote: I have a few VMs on KVM/QEMU infrastructure. When I try to create an OpenBSD VM, my key strokes start echoing on the VM console. Not sure if this is the same problem, but I did have similar trouble with qemu and OpenBSD in the past. I had to disable mpbios and acpimadt in the kernel to make it work. See boot_config(8). From my notes from back then I also explicitly enabled acpi and ioapic, but I can't remember why ... best /markus
Re: auto-boot
On 1/20/21 10:01 AM, Bastien Durel wrote: If There is no software way to solve this problem, I shall need to buy a small HDMI screen and drop serial console ... If the console gets input from the serial port even with no cable plugged into it (and not just the other side disconnected), there's most likely something wrong with the port. Either it's malfunctioning on the electrical level, or some strange mode is set in the BIOS. best /m
Re: question about hostname.carp
On 11/4/20 4:05 PM, Harald Dunkel wrote: inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1 advskew 0 If you use the actual broadcast address 10.0.1.255 instead on NONE it will work with both.
Re: Encrypted notepad software suggestions
On 9/28/20 4:54 PM, William Orr wrote: > https://vim.fandom.com/wiki/Encryption That post is from 2001 (still valid, though). Vim from the current package defaults to blowfish2 as encryption algorithm. best /m
Re: Encrypted notepad software suggestions
On 9/28/20 9:18 AM, Martin wrote: > I'm looking for some notepad with encryption of notes/files created. Simply > Text File encryption is suitable too to hide some info from plain text files > I have. Depending on your definition of "notepad", vim (gvim) should have built-in encryption (:X command), at least it does on Linux. best /m
Re: Routing and forwarding: directly connected computers
On 9/3/20 5:41 PM, Ernest Stewart wrote: > And which pf rules and how to establish those routing tables are exactly what > I'm asking. Maybe if you share the output of the ping test from your original mail we could see what is actually happening. >From your setup I would assume that the IP addresses the hosts are using for the ping are not what you expect. best /m
Re: Installation in a Xen guest (pvgrub)
Am 24.07.2020 17:30, schrieb Theo de Raadt: [...] non-OpenBSD bootloaders will do a shitty job of booting OpenBSD. I'm not going to bother explaining the situation in detail. People who try to go that way have already decided they don't care about the consequences. Ok. Thanks. Are you talking about biosboot or 2nd stage boot? But would it be in theory possible to program a (1) specialized "bootloader" which is bootable by linux-cmd of grub and (2) this specialized "bootloader" continues with the BSD boot code? At the moment I'm thinking of 2nd stage boot. So going from grub 2nd stage via fake-linux-kernel to 2nd stage OpenBSD boot... Part 1 should be doable. But what is about part 2? Would it be possible or are there technical system restrictions making it impossible e.g. like CPU operating modes or restrictions to access the BIOS? And so any further thinking and investigation in this way is waste of time...
Re: Installation in a Xen guest (pvgrub)
Am 21.07.2020 15:51, schrieb Pierre-Philipp Braun: [...] GRUB2 should be able to boot an OpenBSD kernel natively *2. Thing is, PVGRUB works for PV, not PVH nor PVHVM. However you might get NetBSD XEN/PV up and running at your XEN ISP *3, by leveraging PVGRUB indeed *3. And in case UFS is not built-into their PVGRUB binary (that would be weird, as one usually builds pvgrub with all possible modules within), you would still be able to boot it on EXT2 with poor disk performance *4. *1 http://xenbits.xen.org/docs/unstable/man/xl.cfg.5.html#Direct-Kernel-Boot *2 https://www.gnu.org/software/grub/manual/grub/html_node/Supported-kernels.html *3 https://pub.nethence.com/booting/grub *4 https://pub.nethence.com/bsd/malabar The filesystem modules are available in the pvgrub. But no modules for booting openbsd or netbsd. So "kopenbsd" or "knetbsd" or "multiboot" is not available. Only "linux". Grub does not support this modules for the xen builds (pvgrub). I've checked it in the sources. There is only code for BSD for the hardware build targets of grub and not the xen targets.
Re: Installation in a Xen guest (pvgrub)
Am 10.07.2020 23:30, schrieb Demi M. Obenour: [...] For me, OpenBSD boots fine in HVM mode (with an I/O emulator). I have not tried PVH mode and would not expect it to work. PV mode definitely won’t work, and should be avoided anyway for both security and performance reasons. Is HVM mode okay, or do you need PVH? I'd like to install and boot it in a remote service provider environment. There I have only Linux systems available to install and a Linux rescue system to switch over. The installation is not the problem. I could also use a disk image. For boot I can only rely on a bunch of provided Linux kernels or the pvgrub stuff to boot from the disks. So the only chance to get it running would be the way with the "Xen-grub" I think, if there is no possibility that Linux has learned to boot (not virtual) BSD ;-) Would there be a chance to hack on the Linux-bootcode to boot the BSD-kernel? Makes it sense to look into how this boot works or doesn't it make sense at all?!
Installation in a Xen guest (pvgrub)
Hi, is there a possibility to install/boot OpenBSD in a Xen guest which is booted by pvgrub1 or pvgrub2? The pvgrub is configured to use a /boot/grub/grub.cfg of the guest in the 1st partition. In a non-Xen-grub there is a bsd-module which can boot the installer bsd.rd, but this bsd-module is not available in the xenhost-builds of grub. There is also no chain-module for chainloader configs. Any ideas? Thanks Markus
Re: pfsync interface in carp group
On 6/9/20 9:25 PM, Paul B. Henson wrote: > Hmm, I had never considered using jumbo frames. ... > I guess multicast would work too Neither jumbo frames nor multicast will prevent group demotion when the other side of a crosslink cable goes physically down. Only not having the sync interface in the carp group will.
Re: pfsync interface in carp group
On 6/9/20 12:27 AM, Paul B. Henson wrote: > Yes, I am using a direct link between the two physical firewalls. [...] > Is this no longer a best practice? If it's in the documentation, I suppose it still is. But I have found it problematic, because taking down one firewall, or even only its sync interface, will automatically demote the sync interface on the other one, which then will affect the whole carp group, if the interface is part of that group. When I first tried carp in the lab many, many years ago, I vaguely remember seeing effects similar to what you describe, and have used switched sync interfaces ever since.
Re: pfsync interface in carp group
On 6/8/20 12:29 AM, Paul B. Henson wrote: > whenever I rebooted the secondary firewall, the > carp interfaces on the primary would flip to backup and then back to > master as the secondary one rebooted I don't see that behaviour on my carp pair. Are you using a cross-link cable between the two firewalls? (You shouldn't, in my experience.) best
Re: Select ssh key from ssh-agent?
On 5/24/20 3:55 AM, David A. Pocock wrote: > I can't relate; doing this from OpenBSD6.7 to OpenBSD6.7 the ecdsa forward > through and show up via ssh-add without any issues (and allow using the > intermediary host without having the keys present (and being able to choose > keys as per the initial question). If you want to use a specific agent-forwarded key on the intermediary host, you can put the public key (sic!) in a file on the intermediary host and use that file with the -i option or in the config file. The private key for doing the signature during authentication is then automatically selected from the agent. /m
Re: Strange behavior when I try to use lladdr
On 5/22/20 12:12 PM, Денис Давыдов wrote: > I decided to reinstall OpenBSD to a newer version on my VMware ESXi > cluster. So I deleted an old router and start the new one using the old > configuration, except that I add lladdr parameter with the old MAC address Last I looked into it (some years ago) VMware did not allow to manually set the adapter MAC address in the guest to addresses from some hardcoded ranges, among which the VMware OUI 00:50:56. According to [1] this is still the case today, they also specify the range there that can be used. > Now if I will stop tcpdump on terminal[2] I'll get packet loss again. > This is a weird behavior. What could be wrong? tcpdump by default puts the interface in promiscuous mode, which is why it picked up frames not addressed to the lladr you set, but also to 00:50:56:92:d1:18, which seems to be the MAC that VMware has assigned to the adapter. /m [1] https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.troubleshooting.doc/GUID-7F723748-E7B8-48B9-A773-3822C514684B.html
Re: 550 Invalid recipient domain
On Tue, Feb 04, 2020 at 12:33:18AM +0200, Anne Wainwright wrote: > Hi, > > OK, maybe this query should be for another mailing list. > > Getting mail to my BSD 6.4 server has been an issue. I have Postfix > running. The mail is fetched by fetchmail. As far as I know both > .fetchmailrc and /etc/aliases are correct. > > But the 550 message shows in maillog when the mail has come in and is > then shown going out to my ISP's smtp server for user@localhost which > of course rejects this as an undeliverable address. It does not get put > into the mailbox at all. > > Surely this is some small stupid thing beyond my ken! If someone can > point me in the right direction I would be very grateful. > > Perhaps part of the issue is that the name part of the email address to > the server is not the same as the name of the user that it is to be > delivered to. I am about to revise that to simplify things, though > hoping a small correction somewhere might make that unnecessary. If I understand you correct: mail fetched by fetchmail has a recipient address like *@localhost and the mail is then relayed to your smarthost (ISP's smtp server) and rejected there? I think your mydestination setting is wrong and is missing localhost or did you mess up transport? Hard to say without config parts and logs. Regards, Markus PS: OpenBSD 6.4 is no longer supported
Re: usr/bin/whois: Query terms are ambiguous
On Tue, Jan 07, 2020 at 06:49:40PM +0100, Johannes Krottmayer wrote: > Hi, Hi Johannes, > I have a strange issue, when using the "whois" client. > > Always get the following as example: > [...] > # > # Query terms are ambiguous. The query is assumed to be: > # "n 62.46.172.92" > # > # Use "?" to get help. > # > [...] > > I have OpenBSD 6.6 installed on two systems. The issue exists > on all those systems. > > Have looked for a bug (for a leading "n " string) in the > source of whois. But didn't find anything. I have also installed > OpenBSD on a vbox and analyzed the query with wireshark. I think you misunderstood the message. The whois binary only send "62.46.172.92" to the whois server, as you may see in you trace below. > But I think the query is correct (Ethernet frame): > 60 38 e0 c2 bd 30 08 00 27 06 0f 2d 08 00 45 00 `8...0..'..-..E. > 0010 00 42 62 43 40 00 40 06 dc 7c 0a 2a 2a 57 c7 47 .BbC@.@..|.**W.G > 0020 00 2e 60 1a 00 2b c7 76 ec 0f 9b fd 95 79 80 18 ..`..+.v.y.. > 0030 01 00 d3 cf 00 00 01 01 08 0a 00 13 e6 e0 a4 51 ...Q > 0040 91 22 36 32 2e 34 36 2e 31 37 32 2e 39 32 0d 0a ."62.46.172.92.. > > No leading "n " string. > > Has somebody noticed the same issue? The server on the other hand could handle different record types, for example "n ..." for network address space, but there are more. If the record type is missing the server assumes (in this case) the record type is n and notifies you of this assumption. So it may be the other way around, "n " may be missing here in the query to the ARIN whois server. Compare the output of the following two: telnet whois.arin.net 43 62.46.172.92 which is also what you get with "whois 62.46.172.92" and this: telnet whois.arin.net 43 n 62.46.172.92 and if you want to see the mentioned help above: telnet whois.arin.net 43 ? whois.apnic.net and whois.ripe.net understand "help" to display options. There seem to be no "standard" about options in queries to whois servers. Regards, Markus
Re: pfsync on VLAN - supported ?
On 14.11.2019 11:30, Rachel Roch wrote: >>> Does this mean Bad Things (TM) will happen if I try to use a dedicated vlan >>> interface for pfsync ? I have had pfsync running happily over a vlan interface for years, never a problem. > Regarding the extra port, in my case I'm using that for LACP (my switches > support distributed LACP, so i can have two cables going into two switches) Having the sync port physically redundant and connected to a switch is a very good idea, because a crossover cable will cause a carp demote whenever the other firewall goes down or is rebooted, afair. best /m
Re: random packet drops with syncookies/synproxy
On 09.11.2019 15:24, Claudio Jeker wrote: >> So nobody is using syncookies/synproxy at all? > > I guess that is a reasonably safe assumption. syncookies are rather new > and probably need more battle testing. OK, then I will send a bug report. > synproxy never helped me much in > case of a SYN attack since it will cause pf(4) to hit the state limit no > matter what you do and then stuff starts to break. Yes, synproxy will not help with that, but syncookies should. But the syncookies entry in the man page also states that a connection opened via syncookie will then run through synproxy, so the problem I'm seeing might be in either one. best /
Re: random packet drops with syncookies/synproxy
Hm, also no replies to that one :-) On 11/6/19 8:15 PM, Markus Wernig wrote: > So just to make sure: Is anybody using syncookies and/or synproxy in > production in a similar setup? So nobody is using syncookies/synproxy at all? best /m
Re: random packet drops with syncookies/synproxy
Hi again Nobody has answered, so I suppose nobody else has this problem :-) That's good. So just to make sure: Is anybody using syncookies and/or synproxy in production in a similar setup? Thx /markus On 11/4/19 8:35 PM, Markus Wernig wrote: > Hi all > > After being hit by some synflood waves recently I enabled syncookies on > our OBSD 6.6 i386 CARP fw pair: > > set syncookies always > > This stopped the state table from filling up. But after some hours pf > started (randomly?) dropping legitimate connection attempts, both on > external->internal (dst-natted) and on internal->internal (not natted) > connections (TCP only, afaict). > > Looking at pflog and the rule number that blocked the packet, it seems > that the preceding "pass quick" rules matching the packets were ignored. > > The packets that were dropped were the ACK ones, so the SYN-SYNACK seems > to have taken place. The client then usually retransmitted the ACK, > which kept being dropped for ca. 15-20 seconds, after which time it was > suddenly accepted and the connection established. Many times also only > the first ACK was dropped, and the first retransmit was accepted. > > So I disabled syncookies and set the relevant ~5 external->internal > rules to synproxy state. > > With that, the same behaviour happened within a few minutes. > > During that time pfctl -vsi showed the "synproxy" counter increasing by > multiple thousands per second (sic), while the state table entries > remained stable around 500 (their normal value). > > So I disabled the synproxy state again, but reloading the rules with > pfctl was not enough, I had to reboot both boxes to stop them from > dropping legitimate connections. With both syncookies and synproxy > disabled, the problem does not occur. > > Is anybody aware of anything that could trigger this behaviour? Or have > any hint where I could look further? I have all the log files if more > info is needed. > > thx /markus > > (btw. the behaviour was the same on 6.5) >
random packet drops with syncookies/synproxy
Hi all After being hit by some synflood waves recently I enabled syncookies on our OBSD 6.6 i386 CARP fw pair: set syncookies always This stopped the state table from filling up. But after some hours pf started (randomly?) dropping legitimate connection attempts, both on external->internal (dst-natted) and on internal->internal (not natted) connections (TCP only, afaict). Looking at pflog and the rule number that blocked the packet, it seems that the preceding "pass quick" rules matching the packets were ignored. The packets that were dropped were the ACK ones, so the SYN-SYNACK seems to have taken place. The client then usually retransmitted the ACK, which kept being dropped for ca. 15-20 seconds, after which time it was suddenly accepted and the connection established. Many times also only the first ACK was dropped, and the first retransmit was accepted. So I disabled syncookies and set the relevant ~5 external->internal rules to synproxy state. With that, the same behaviour happened within a few minutes. During that time pfctl -vsi showed the "synproxy" counter increasing by multiple thousands per second (sic), while the state table entries remained stable around 500 (their normal value). So I disabled the synproxy state again, but reloading the rules with pfctl was not enough, I had to reboot both boxes to stop them from dropping legitimate connections. With both syncookies and synproxy disabled, the problem does not occur. Is anybody aware of anything that could trigger this behaviour? Or have any hint where I could look further? I have all the log files if more info is needed. thx /markus (btw. the behaviour was the same on 6.5)
Re: Upgrade procedure (6.4 -> 6.5)
Am 02.05.2019 um 09:52 schrieb Consus: > I've upgraded my systems from 6.4 to 6.5 without a glitch, but I see > that /etc/networks and some other files (like malloc.conf.5) are still > present, although there is no use for them in the new release. > > Is there a reason why these files are not listed in "FIles to remove"? > Is there a way to track them? It's not like something gonna break, but > old configuration files (and manual pages) lying around can make > someone's life harder during the debug session. Take a look at the sysutils/sysclean port. Regards Markus
Re: Infinite spin when trying to burn a CD
Hi, for you output ... Am 26.03.2019 um 22:45 schrieb Jérôme FRGACIC: write track data: error after 552960 bytes cdrecord: A write error occured. cdrecord: Please properly read the error message above. cdrecord: Input/output error. test unit ready: scsi sendcmd: retryable error CDB: 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s test unit ready checks if the device is ready to do what you want it to do. cdrecord: Input/output error. flush cache: scsi sendcmd: retryable error CDB: 35 00 00 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 120s Trouble flushing the cache Writing time: 5.115s Average write speed 860.1x. Fixating... this cdb tries to sync the cache and it seems to have a prob here, the good status indecates that the cdb was recieved by the device after that it seems to get in trouble cdrecord: Input/output error. close track/session: scsi sendcmd: retryable error CDB: 5B 00 02 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.009s timeout 480s cmd finished after 0.009s timeout 480s this cdb tries to close the track session i dont know why you get a cmd finised twice here maybe its related to the cache problem. cdrecord: faio_wait_on_buffer for writer timed out. cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s here you have your cdb for removing the media again cdrecord: Cannot fixate disk. Fixating time: 466.776s cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s and once again because he could fixate it before i guess cdrecord: fifo had 77 puts and 10 gets. cdrecord: fifo was 0 times empty and 2 times full, min fill was 89%. so this is what happens by the log why it happend i cant tell by this output but again the trouble starts with syncing the cache i guess. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
sorry it might got a bit confusing Am 26.03.2019 um 15:41 schrieb Markus Rosjat: cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. it means the optcode does alllow or prevent media removal it depends on the prevent bits in the cdb but you basically just have a 00 for allow or a 01 for prevent in the cdb. Anyway since sense already told you the request is illegal you have to figure out what came befor the removal request so you might get a clue in what state the hardware is still. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
Hi, might not to much help but Am 26.03.2019 um 14:57 schrieb Maurice McCarthy: I never looked at your dmesg earlier. These lines cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. if you really want to figure out what the sense code or the check condition error means you have to read up sbc specification on t10.org i guess suggest the Openbsd system finds something wrong with your hardware. I'm not clever enough to speculate further. Sorry. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd acme-client renew multiple domains
Hi Mischa, if you like some python i got a small script for multiple domain cert renew on my github. I hope its ok to post the link here https://github.com/rosjat/scripts/blob/master/shell/OpenBSD/acme_renew its nothing fancy and you can modify it for your need or may make it better :) regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: pppoe(4) and vlan(4)
Am 25.02.2019 um 16:30 schrieb Thomas Huber: > Hi misc, > > i got the opportuniy to have 4 ADSL links to my rural site. > Two links have already been there and OpenBSD -stable running a APU2 is > shaping the traffic between this two links. > > But now I struggle with setting up the 3rd (pppoe2) link. > As far as I know I´ve to go through a vlan(4) with vnetid 7 and this seems > to be valid information > because the pppoe debug-logs are more extensive than when trying to connect > without the vlan between em0 and pppoe2: > > # cat /var/log/messages > [...] > Feb 25 10:14:49 router /bsd: pppoe2 (8864) state=3, session=0xa3 output -> > 88:a2:5e:1e:52:88, len=17 > Feb 25 10:14:49 router /bsd: pppoe2: lcp input(req-sent): len=14 > 05-06-d3-66-5d-a2-01-04-05-d4-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00> > Feb 25 10:14:49 router /bsd: pppoe2: lcp req-sent->ack-rcvd > Feb 25 10:14:50 router /bsd: pppoe2: lcp TO(ack-rcvd) rst_counter = 10 > Feb 25 10:14:50 router /bsd: pppoe2: lcp ack-rcvd->req-sent > Feb 25 10:14:50 router /bsd: pppoe2: lcp output 05-06-d3-66-5d-a2-01-04-05-d4> > Feb 25 10:14:50 router /bsd: pppoe2 (8864) state=3, session=0xa3 output -> > 88:a2:5e:1e:52:88, len=22 > Feb 25 10:14:50 router /bsd: pppoe2: lcp input(req-sent): len=14 > 05-06-d3-66-5d-a2-01-04-05-d4-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00> > Feb 25 10:14:50 router /bsd: pppoe2: lcp req-sent->ack-rcvd > Feb 25 10:14:51 router /bsd: pppoe2: lcp TO(ack-rcvd) rst_counter = 10 > Feb 25 10:14:51 router /bsd: pppoe2: lcp ack-rcvd->req-sent > Feb 25 10:14:51 router /bsd: pppoe2: lcp output 05-06-d3-66-5d-a2-01-04-05-d4> > Feb 25 10:14:51 router /bsd: pppoe2 (8864) state=3, session=0xa3 output -> > 88:a2:5e:1e:52:88, len=22 > Feb 25 10:14:51 router /bsd: pppoe2: lcp input(req-sent): len=14 > 05-06-d3-66-5d-a2-01-04-05-d4-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00> > Feb 25 10:14:51 router /bsd: pppoe2: lcp req-sent->ack-rcvd > > But to be honest I don´t know what this means and where to look furhter. > The ADSL modem is able to sync and a ISP-provided router-modem is also able > to establish connection. > > # cat /etc/hostname.pppoe2 > > inet 0.0.0.0 255.255.255.255 NONE \ > pppoedev vlan0 authproto pap \ > authname 'xxx' authkey 'xxx' > dest 0.0.0.3 > inet6 eui64 > debug > up > !/sbin/route add default -ifp pppoe1 0.0.0.3 > !/sbin/route add -inet6 default -ifp pppoe1 fe80::%pppoe2 Why does it mention pppoe1 in the route add statements here? If I'm not mistaken these should be pppoe2. > > # cat /etc/hostname.vlan0 > > inet 0.0.0.3 255.255.255.255 NONE descr VODDSL vlan 7 vlandev em0 Why do you have 0.0.0.3 assigned to the vlan interface? My 6.4 router just has "vnetid 7 parent em0" + "up" in /etc/hostname.vlan7. > # cat /etc/hostname.em0 > > up > > Without understanding the internals of ADSL or PPPoE, I just copied this > configuration from the functional hostname.pppoe[0|1] > but this links work fine without the additional vlan(4). Guess this is > related to something ISP-thing called "BNG" > The reated ISP is Vodafone in Germany which is using the Telekom > infrastrcture just in case this is relevant. > > Anybody andy clue how to set this connection up correctly or where to look? > Thanks
Re: python3 script not running as root
Hi Marc, Am 15.11.2018 um 14:05 schrieb Marc Espie: 6.4, or snapshot ? there was an unveil snafu with doas a few days ago. 6.4 release -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: python3 script not running as root
Hi Martin and Daniel, Am 15.11.2018 um 09:24 schrieb Martin Sukany: Hi, you'd fix this by defining PATH variable in your crontab, or specify the full path to python3 interpreter instead using env. as daniel also suggested I will try the the PATH crontab approach and this is because scripts with a full path in the shebang seem to run anymore on 6.4 regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
python3 script not running as root
Hi all, I have a python script to get some traffic stats from my machines and it is running without problems except for a new installed OpenBSD 6.4 machine. There I get following error: env: python3: No such file or directory This only happens when the cronjob is running when I run it from terminal with doas it works. That is kinda odd sice both root and my user have python3 and env in there $PATH at least the path to the executable. some hints would be appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
GAMIN question again
Hi all, so as far as I understand now gam_server should be started if a user login (like over imap) but it seems not to work. The Docs mentioned in the /etc/garmin/garminrc file is also not helpful because it only tells to look at fam docs or api refs but I dont want to use the api I want to configure gamin to start gam_server when a user logs in. so in the rc file you see something like fsset ffs none so I thought okay i might change that to fsset ffs notify but no changes, also fsset ffs poll 1 doesnt seem to have an effect so to all out there who are using gamin enligthen me how to configure it please regards -- Markus Rosjatfon: +49 351 8107224mail:ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent, Am 03.11.2018 um 07:22 schrieb vincent delft: Hello Markus, I cannot reproduce your problem. As you can see here under I can create a user "test1" on the command line, and, with the same userid, I can create it with python2 and python3 too. (I'm running 6.4) I see 2 possible cause : - your python script, - or maybe the userid for which your python script runs is not the one defined in doas.conf. i switch back to spawnl function and it worked with doas so I will stick with that since it's working. Maybe later I will revisit the problem and give it another try. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd.conf it's so confusing
Hi again, Am 02.11.2018 um 11:26 schrieb Markus Rosjat: .. but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all. this seems to be resolved and was more or less browser related -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd.conf it's so confusing
Hi all,
I have a relayd running that inspects the Host header of incoming
traffic and then makes a decision to which server it should relay the
traffic. so far so good but a few things don't add up after a few changes.
for example I have a protocol definition like so:
http protocol "httpproxy" {
match request quick header "Host" value "*domain1.tld"
forward to
match request quick header "Host" value "*domain2.tld"
forward to
}
and a relays like:
relay "www01proxy" {
listen on $gateway port http
protocol "httpproxy"
forward to port http
}
relay "www02proxy" {
listen on $gateway port http
protocol "httpproxy"
forward to port http
}
So this setup works but now it gets confusing if I add another protocol and
relay to the above
http protocol "differenthttpproxy" {
match request quick header "Host" value "*domain3.tld"
forward to
}
relay "www03proxy" {
listen on $gateway port http
protocol "differenthttpproxy"
forward to port http
}
now my relays 1 and 2 stop working, no traffic reaches the hosts, the order of
the relays is
www03
www01
www02
in the config but it shouldn't be problem because the protocols used are diffrent. So coming to strange part two. I disabled the new relay and well the sites for relay 1 and 2 started to be reachable again but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all.
what I did between the changes was checking sysntax and a
rcctl reload relayd
I am relucdent to do a restart because it happens to crash the VM. The VM is
running 6.1 with all syspatches applied.
regards
--
Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd rewiterules like apache
Hi, Am 01.11.2018 um 11:40 schrieb Tony Boston: You should definitely try the relayd(8) route here. that would be forwarding it to the ip like match request quick header "Host" value "*some.tld" forward to but that wouldnt solve something like RewriteRule ^(.*)http://some.tld/someotherdir/$1 [L,P] so a http://www.my.tld would go to http:/some.tld/something.http but woudnt http://some.tld/someotherdir/something.http or do I get it wrong? -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd rewiterules like apache
Hi all, I was wondering if it is possible to do like a proxy rewrite like with Apache rewrite mod? RewriteRule ^(.*) http://some.tld/$1 [L,P] So here the P Flag should preserver the original domain in the url and just proxy the request to the other location (not on the same machine!) Since there is redirection I can do this but then the url gets of course replaced in a block directive block return 301 "http://dome.tld$REQUEST_URI; I read that there is rewrite support but as far as I figured it's just for location on the filesystem ? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Bruno, Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger: On 31.10.18 10:42, Markus Rosjat wrote: Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno thank you for the attitude! Now I learned even more it's better not to share mistakes and keep them to yourself so the real pros are not bored by your findings because they are to simple to be made. I appreciate it! -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Am 31.10.2018 um 10:52 schrieb Consus: Well, that's why we have sudoedit. With doas your are forced to $ doas cp -p /etc/doas.conf /etc/doas.conf.new $ doas vi /etc/doas.conf.new $ doas -C /etc/doas.conf.new $ doas mv /etc/doas.conf.new /etc/doas.conf yeah and by default there is no sudo package installed or is it (at least it isnt in the 6.x releases if I remember right)?! Just try a sudoedit on a fresh install and see if it works. As fas as I understand the doas approach its there to provide a simple way of archiving things like sudo /do/this/cmd because 99% of the time you only need root priv to do something like that. So some very nice guy, I think is name is Ted, thought "hey lets simplify it and skip all the heavy stuff that sudo brings along". At least I imagine he thought something like that :) regard -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
syntax error and doas.conf
Hi all, just something I notice while trying out stuff with doas and my python scripts. If you do a mistake and have a syntax error in the doas.conf file you can easily look you self out from root privilages :( consider a a case where your root has no pw, you are the guy in the wheel group and of course you have only this line permit persist keepenv :wheel so far everything is peachy ok we are going to add a new line permit nopass foo as root cmt /root/scripts/dosomething and we save it ... ups we did a mistake an like to fix it, no worries we can ... or cant we? doas vi /etc/doas.conf doas: syntax error at line 15 at this point you are a bit screwed because you cant edit the doas.conf you cant reboot you only way seems to be a switch off. Ok maybe there other was but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in single user mode, make a fsck because , mount the patritions, export the TERM var so yu get a vi. Well seems we are back in business but no we cant edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple to /etc and be done with it. At that point 5 to 10 min of your life is wasted with silly stuff but you may have learn at least one thing ... read again what you just wrote before you save it :) Have a nice day list :) and happy helloween -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent Am 30.10.2018 um 16:03 schrieb Vincent Legoll: Maybe you should try like the following: cmd = ['doas', 'useradd', '-u', user_id, '-g', '=uid', '-s', '/sbin/nologin', '-d', mb_parent_dir, user_name] exit = subprocess.check_call(cmd) this doesn't solve the problem, if I try like that check_call complains that it need a string as user_id. If I do make something like u_id = '%s' %user_id and plug u_id as the arg I'm back to square one. So it seems this seems a doas related issue and needs some adjustment in doas.conf. If this isnt resolvable I will just install sudo package using the "pointing a cannon at a sparrow" approach :( regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi, as I stated before on a cmd is no problem, Im using 6.4 release Am 30.10.2018 um 12:56 schrieb Solene Rapenne: Markus Rosjat wrote: hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards hi what openbsd version are you using? did you try the command outside of python? There were issues with doas a few days ago in snapshots. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate python script from sudo to doas
hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: 6.4 doas gives "command not found" if no #!/bin/sh up top
Hi all, Derek wrote: Adding a "#!/bin/sh" at the top of the scripts made them all work again. it seems this is also happening with python scripts even you have shebang. To solve this you should change lines like #!/usr/local/bin/python to #!/usr/bin/env python after this change was made doas worked as expected with the script regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
cyrus-sasl/openldap question
Hi there, it seems to get sasl working with ldap is a lifetime task. Sad thing I had it working but only after adding/deleting packages of the specific versions of cyrus-sasl and I dont know which you really need to get it working in a "clean" setup. So to all the people out there who are running service like sendmail, courier with openldap and sasl could you point to the proper package to use or do in need to really install one package then replace it with another so that just the proper libs are present somewere on the system (this seems kind bad)? And docs on cyrus-sasl are a big fk^ in my opinion but thats another story. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
Hi Julian, Am 22.10.2018 um 01:26 schrieb Julian Suschlik: FAM/gamin execute programs when parts of the filesystem change AFAIK. My goto program for this is entr (http://entrproject.org/) available as port under sysutils/entr (http://ports.su/sysutils/entr) I still don't get what you trying to tell me. I simply need to know how to start gamin as a background process since FAM package isnt arround anymore. Usally there would be some kind of rc script in rc.d somewere but there isnt. There isnt a man page to be found so I'm lost how to get things running. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
hi Julian, Am 20.10.2018 um 01:01 schrieb Julian Suschlik: Would sysutils/entr help? canyou be more specific? thank you -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd smtp traffic
Hi all, once again a silly question (but maybe someone is willing to answer) about relayd. Is it spossible to determine the domain of the recipient and depending on this redirect the traffic to da specific server behind the relayd machine? What I try to do is setup a test mailserver and just redirect mailtraffic for a domain to this machine. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
FAM Question
Hi there, it seems there is no FAM package anymore but there is a gamin package so is this a replacement for FAM? And following up on that how the heck do I get gamin to work, there seems to be no rc script for it but if it works like FAM there should be a process running right? The docs or pkgconfig doesnt say anything regarding this so Im kinda lost here. So if someone hast som information about that share please. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate users from old system
hi all, what is the right way to do a migration of users from one system to another? I did the following but it seems to get some problems with permissions on the files and directories. 1. copy passwd, group, master.passwd to new machine 2. clean up files (some users doent exist anymore) 3. use pwd_mkdb to create a new db this gave no errors but after migrating some files with rsync to the new machine it seems that some directories not read- /writeable (for example by openLDAP) even all the permissions are set correct. So I wonder if it might has to do with the user accounts themself. Any advice would be helpful. Regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: CARP on Hyper-V VM
Hi Ricardo, You must set the VM's network adapter to 'Enable MAC address spoofing' under 'Advanced Features'. nope this isn't solving the problem. I can only ping the virtual ip from the local machine still. It might need the NDIS Extention enabled on the vSwitch too but I did't changed that because of the probable network disconnection. I will give it a shot later. regards MArkus -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
CARP on Hyper-V VM
Hi there, i just have a question to CARP on Hyper-V VMs. It seems there was a problemwith the virtual IP not be reachable from somewere else then the machine itself. Since I try to set up CARP on such a VM an noticed the same behaviour on a OpenBSD 6.1 I wonder if this issue is resolved in 6.3? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OT: how do you write your tools /scripts for everyday tasks
Hi all, this is more a post to get an overview how the pros (not me ... you guys) put there tools together. I can write simple shell scripts and this is ok but I do a little python coding once in a while and noticed I'm going to write my tools in python. Sure its a little overhead and most of the time you ending up using subprocess to call a existing tool that you would use on a cmd anyway. So what you guys using these days, is it shellscripts, c programs, perl or? Would be cool to get some feedback on that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd index directive confusion
hi Paco,
Am 30.05.2018 um 13:31 schrieb Paco Esteban:
On Wed, 30 May 2018, Markus Rosjat wrote:
so I Configure my Location in httpd.conf like this
location "/admin/*" {
root "/path/to/my/site/admin"
root strip 1
directory index index.php
fastcgi socket "/run/php-fpm.sock"
authenticate with "/users/me/mysite_passwd"
}
have you tried to put "index.php" (in double quotes) ?
I may be wrong, but I think I had a similar issue in the past.
Cheers,
Paco.
I tried both it didn't help.
regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
httpd index directive confusion
Hi there,
i hope someone can sort this out for me but I dont get it. I get a
nice "Primary Script unknown" message when I try to reach a defined
location.
I try reach https://UrlToMySite.tld/admin/ and in thsi location is a
index.php file
so I Configure my Location in httpd.conf like this
location "/admin/*" {
root "/path/to/my/site/admin"
root strip 1
directory index index.php
fastcgi socket "/run/php-fpm.sock"
authenticate with "/users/me/mysite_passwd"
}
in my opinion this should show me the generated index.php but instead I
get file not found. When I call the index.php explicitly like
https://UrlToMySite.tld/admin/index.php it works.
so where do I go wrong here?
regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
Re: HPPA 720/60 and PS/2 Keyboard
On Mon, 21 May 2018, Otto Moerbeek wrote: > On Mon, May 21, 2018 at 12:29:13PM +0200, Markus Hennecke wrote: > > > I tried updating my HPPA box from 6.2 to 6.3, but when booting the release > > or -current bsd.rd kernel the keyboard repeats the last key pressed. The > > 6.2 release did not show this behaviour. Is there anyone out there running > > 6.3 or -current on hppa? > > > > Markus > > There was a diff from miod floating around to fix this: > > https://marc.info/?l=openbsd-tech=152536826316030=2 Thanks a lot. After installing via serial console and building a kernel over night I can confirm the patch fixed the problem. Markus
Re: HPPA 720/60 and PS/2 Keyboard
On Mon, 21 May 2018, Markus Hennecke wrote: > I tried updating my HPPA box from 6.2 to 6.3, but when booting the release > or -current bsd.rd kernel the keyboard repeats the last key pressed. The > 6.2 release did not show this behaviour. Is there anyone out there running > 6.3 or -current on hppa? Of course it is a 712/60, fingers were faster than the brain. Markus
HPPA 720/60 and PS/2 Keyboard
I tried updating my HPPA box from 6.2 to 6.3, but when booting the release or -current bsd.rd kernel the keyboard repeats the last key pressed. The 6.2 release did not show this behaviour. Is there anyone out there running 6.3 or -current on hppa? Markus
Re: Status of X i386 openbsd 6.2 on x200
On Mon, Apr 02, 2018 at 09:26:58PM +0200, Markus Lude wrote: > On Sun, Apr 01, 2018 at 09:41:07PM +, flipchan wrote: > > Hello all, > > > > I have tried to installed 6.1 and 6.2 on a thinkpad x200 it works but X > > does work ... > > > > Its works great with 6.0 but then i dont get the good 6.2 packages and > > features such as syspatch. > > > > > > It seems lika well known problem: > > https://marc.info/?l=openbsd-bugs=150506076421862=2 > > > > > > Does anyone know the status of this/ if anyone is working on this ? > > The problem still exists. The drm diff back then was quite huge and I am > unable to break it down in smaller chunks to see where the cause therein > is. > The T61 is quite old and still runs with 6.1. > It is new for me that newer Thinkpads do have the same problem. Could > you please post a trace of your crash? I now moved from i386 to amd64 on the T61. I didn't saw the drm related crash since then. Upgrade through 6.2 to 6.3 worked. Regards, Markus
Re: Using stmp auth for local account with PHP scripts
Hi again, Am 04.04.2018 um 15:34 schrieb Christophe Simon: Yes, that should do the trick. The only problem that you could face is the certificate validation in PHPMailer: if you connect to `locahost` using a TLS connection, unless your certificate presents `localhost` as a CN (or a SAN), there's chances that the client refuses to establish the connection (I don't remember if certificate validation is enabled by default in PHPMailer). If you don't want to bypass certificate validation, one possible way to overcome this issue is to set an entry in your chroot's `/etc/hosts` pointing your certificate's CN to `127.0.0.1`, or include `localhost` in your certificate SANs. And if your certificate is self signed, you'll have to manually accept it. I will give it a try , thank you for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Hi, I will answer in the text below :) Am 04.04.2018 um 13:52 schrieb Christophe Simon: Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. no we don't want to use binary in chroot, that somehow feels just wrong :) If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). since it will be WP (i know ...) it has PHPMailer and it should be able to send with SMTP Protocol. It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I have set up the local smtpd to relay mails from local connections so it's only listen on lo0 but hey PHPMailer will connect on lo0 and can be abused still if the WP arround it allows it. I basically force the user to use something like recaptcha but even then I would like to do something with authentication thought. for me I short example would be helpful for now I basically let a script run once an hour to check if the maillog shows somewhat strange traffic to the relay. is enabling auth on lo0 simply this ? pki hostname /path/to/cert pki hostname /path/to/key table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 port submission tls auth accept for any relay via tls+auth://relaycred@relayhost:587 auth And then I can just setup the PHPMailer to use submission port on localhost with some credentials? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd.conf path substitution
Am 04.04.2018 um 00:05 schrieb Michael Hekeler: Am Thu, 29 Mar 2018 17:13:10 +0200 schrieb Michael Hekeler <mich...@hekeler.com>: Ah - I see what you try to do... But SNI doesn´t mean one single certificate for multiple hostnames (this you can do with multiple entries in the certificate subject alt name). SNI means to server multiple hostnames on ONE ip address jepp thats what it is SNI is an extension by which a client (e.g. a webbrowser) indicates (hence the name: server name INDICATION) one of these multiple hostnames to be in the TLS handshake. Then the server can choose the right certifificate to present to the client. I know So if you want to serve domain1, domain2 and domain3 each on https then you need cert1 for domain1 and cert2 for domain2 and cert3 for domain3 I have that basically but some Domains belong, in a way, together and could be served with one cert. If every domain has its own ip then you don´t need SNI. But if all domains share the same ip, then the client and the server must be SNI compatible. When the client requests domain2 the server will be able to present cert2. Of course you can issue a single cert with domain1, domain2 and domain3 in certificate´s subject name and configure the server to present this cert on every request. But that´s no SNI. it only presents this cert for the specific virtual hosts Anyway I'm okay with the fact to hardcode the path to the cert into the virtual host definition. I was just wondering if I did something wrong or it's simply not supported. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Status of X i386 openbsd 6.2 on x200
On Sun, Apr 01, 2018 at 09:41:07PM +, flipchan wrote: > Hello all, > > I have tried to installed 6.1 and 6.2 on a thinkpad x200 it works but X does > work ... > > Its works great with 6.0 but then i dont get the good 6.2 packages and > features such as syspatch. > > > It seems lika well known problem: > https://marc.info/?l=openbsd-bugs=150506076421862=2 > > > Does anyone know the status of this/ if anyone is working on this ? The problem still exists. The drm diff back then was quite huge and I am unable to break it down in smaller chunks to see where the cause therein is. The T61 is quite old and still runs with 6.1. It is new for me that newer Thinkpads do have the same problem. Could you please post a trace of your crash? Regards, Markus
Using stmp auth for local account with PHP scripts
Hi there, There are simple ways of relaying local mails(connection on lo0 on port 25) to a other mailserver. This is oky for logs and stuff but what's about mails created by a php on the local webserver? His do I get smtpd to still do a auth with username and pwd on lo0? Is it possible or do I need to configure the "external" addr too for this purpose? Regards Markus
httpd.conf path substitution
Hi there,
its not really an issue but I noticed if I want to substitute a path for
the tls key or cert I get a syntax error from httpd -n
So is there some special syntax for this or is it simply not possible to
do something like
tls_key ="/path/to/key"
tls_cert ="/path/to/cert"
server "domain.tld" {
tls {
key $tls_key
certificate $tls_cert
}
}
regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
Re: httpd / acme-client confusion
Hi, acme-client can only validate an authorization that way. but for a forced renewal for something that's already active, there's likely to already be a validated authorization on the letsencrypt account, in which case it wouldn't need to revalidate. I did a forced renew after I got a valid certificate and stoped the httpd before I did the forced renew if you really stopped httpd and there is still something listening then there is another webserver process running. You can check locally with netstat(1) or 'ps -aux' there was no other process running since I checked that before I did the forced renew. I will do the suggested changes to the config and keep an eye on it. My main problem was with the block statement the other thing I just noticed as I did testing with the config and started forcing the renew of the certificate regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: stop syslogd from opening port 514 UDP
Am 16.03.2018 um 11:42 schrieb Torsten: > Hi! > > On my OpenBSD 6.2 syslogd is listening to port 514, even though it is > not started with "-r" (to receive remote syslog messages). It does not > actually seem to log anything if I send something to port 514 UDP, > however, I want the machine to be invisible when someone is probing for > open ports. I know I could use PF as a workaround, but can't I not > prevent syslogd from opening that port in the first place? The command line option is "-u" to receive remote syslog messages. If that option is not given and no logging rules exist to send to a remote host the socket is closed per default since 6.2. Perhaps you are logging to a remote host? The syslogd here on my 6.2 system has not opened port 514. Kind regards Markus
Re: httpd / acme-client confusion
Hi,
thanks for the samples I will give it a try but wondering why
acme-client still works even httpd is not serving any kind of location
for a challenge exchange? Like I said I stoped httpd intirely and still
got a new certificate with acme-client.
But if it works as expected after a apply the suggested changes Im okay
with it :)
regards
Markus
Am 16.03.2018 um 08:42 schrieb Florian Obser:
this works for me:
server "tlakh.xyz" {
listen on 0.0.0.0 tls port 443
listen on :: tls port 443
tls certificate "/etc/ssl/tlakh.xyz.crt"
tls key "/etc/ssl/private/tlakh.xyz.key"
hsts
location "/shop.6.html" {
block return 402
}
location "/coffee.6.html" {
block return 418
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
server "tlakh.xyz" {
listen on 0.0.0.0 port 80
listen on :: port 80
hsts
block return 302 "https://$HTTP_HOST$REQUEST_URI;
}
On Thu, Mar 15, 2018 at 11:01:42AM +0100, Markus Rosjat wrote:
Hi there,
Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple
httpd.conf with a definition for a http server and a https server
so far so good, I figured I need to have a http server so acme-client can
talk to let's encrypt an issue certificate requests also no big problem but
now it get confusing. I tried to automate the certificate renew and as far
as I understand the docs httpd.conf get evaluated to to bottom with first
matching rule found. So this would mean a definition like:
$ext_addr ="*" # its just one nic with one external ip on that vm
server "mydomain.tld" {
listen on $ext_addr port http
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
block return 302 "https://$HTTP_HOST$REQUEST_URI;
}
should enable acme-client to renew certificates but redirect other traffic
to the https server. Well it doesn't ! So I need to comment out the block
request to renew the certificate. That's a thing I could live with and just
invent some script that loads a different conf file just for the renew and
when the certificate is obtained just load the normal httpd.conf and restart
httpd. I was playing arround and stumbled over the fact that acme-client
suddenly can renew certificates even without running httpd in the first
place o.O Thats just wrong since there isn't support that does dns-01
challenges right? I stoped httpd to checked the site wasn't reachable and
did a
acme-client -vvF mydomain.tld
it gave me a new certificate from let's encrypt ...
anyway can someone who has the insight please tell me whats goin on here and
maybe post a config example that works for a basic https redirect? Or is it
really the case that I need to load a config that hasn't a blok return
statement in the http server definition?
One last note, I did a syspatch today and don't know if this changed
something in the behaviour of the components involved.
regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
httpd / acme-client confusion
Hi there,
Im kinda confused right now about it. I have a OpenBSD 6.1 running a
simple httpd.conf with a definition for a http server and a https server
so far so good, I figured I need to have a http server so acme-client
can talk to let's encrypt an issue certificate requests also no big
problem but now it get confusing. I tried to automate the certificate
renew and as far as I understand the docs httpd.conf get evaluated to to
bottom with first matching rule found. So this would mean a definition like:
$ext_addr ="*" # its just one nic with one external ip on that vm
server "mydomain.tld" {
listen on $ext_addr port http
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
block return 302 "https://$HTTP_HOST$REQUEST_URI;
}
should enable acme-client to renew certificates but redirect other
traffic to the https server. Well it doesn't ! So I need to comment out
the block request to renew the certificate. That's a thing I could live
with and just invent some script that loads a different conf file just
for the renew and when the certificate is obtained just load the normal
httpd.conf and restart httpd. I was playing arround and stumbled over
the fact that acme-client suddenly can renew certificates even without
running httpd in the first place o.O Thats just wrong since there isn't
support that does dns-01 challenges right? I stoped httpd to checked the
site wasn't reachable and did a
acme-client -vvF mydomain.tld
it gave me a new certificate from let's encrypt ...
anyway can someone who has the insight please tell me whats goin on here
and maybe post a config example that works for a basic https redirect?
Or is it really the case that I need to load a config that hasn't a blok
return statement in the http server definition?
One last note, I did a syspatch today and don't know if this changed
something in the behaviour of the components involved.
regards
--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
pf dropping fragmented UDP despite of scrub no-df
Hi all I have this at the beginning of pf.conf: match all scrub (reassemble tcp no-df ) match out all scrub (random-id) Behind that FW is a (OpenIndiana) DNS server that fragments those of its UDP replies that are too large for the local MTU (1500). (Log below is from a DNSKEY query, the failure of which results in DNSSEC validation failing.) The server also sets the DF bit on the fragmented packets ... The external IP dns1-external.domain.tld is natted on the firewall to dns1-internal.domain.tld. The fragmented replies reach the internal firewall interface, but never go out again. There is a log entry for both fragments of the reply packets (even though the rule is set to not log), and no further notice. I thought that with the no-df scrub option this should no longer happen ... I must be missing something, but what? I've bumped my head into this too long now, maybe somebody spots what I can't. (FWIW: The same query over IPv6 (no nat - the server is dual-stack) works, but then the requesting client has issues with reassembling the packets :-[) tcpdump on internal interface: 13:23:09.374991 72.13.58.105.44267 > dns1-internal.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 38692, len 64) 13:23:09.376370 dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld. DNSKEY[|domain] (frag 7478:1480@0+) (DF) (ttl 255, len 1500) 13:23:09.376377 dns1-internal.domain.tld > 72.13.58.105: (frag 7478:110@1480) (DF) (ttl 255, len 130) 13:23:14.380440 72.13.58.105.44267 > dns1-internal.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 53971, len 64) ... tcpdump on pflog0 (the matching rule is set to not log): Dec 04 13:23:09.376397 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld.[|domain] (frag 7478:1480@0+) (DF) (ttl 255, len 1500) Dec 04 13:23:09.376413 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld > 72.13.58.105: (frag 7478:110@1480) (DF) (ttl 255, len 130) Dec 04 13:23:14.381860 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 10] dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld.[|domain] (frag 7491:1480@0+) (DF) (ttl 255, len 1500) ... tcpdump on external interface: 13:23:09.374546 72.13.58.105.44267 > dns1-external.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 38692, len 64) 13:23:14.380013 72.13.58.105.44267 > dns1-external.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 53971, len 64) ... Thx /markus
board ord boards with case for a router firewall
Hi there, we use mostly soekris for ourt router/firewall solution with openBSD but since there seems to be not much of development and they are kinda expensive still... I was wondering if you guys could give some suggestions on other Hardware for this usecase? Also Boards with more then 4 nic would be interesting, so if someone likes to share his experiences it would be much appreciated regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
